Insecure version of Django

Question

The django docs for version 1.3 and less say:

This document is for an insecure version of Django that is no longer supported. Please upgrade to a newer release!

Also docs for v1.1 aren't shown.

1. In what way is it insecure ?

2. What would be the drawback for someone who still uses these versions?

3. Why wasn't it insecure when it was released or say was widely used?

4. What do they mean by support, is it about the bug fixes that they make?

5. Why are the docs of v1.1 not shown, are Django developers so sure nobody uses them now ?

I got many one-line answers but weren't satisfactory.

Answer 1

The disclaimer means, "Don't ask us for help, you're doing something that we told you not to do."

1. It is insecure in the sense that no newly discovered vulnerabilities are being patched. You can search the NIST Vulnerability Database for Django to see a list of possible issues. "No longer supported" means that when an issue is found with a version of Django, nobody is required to make an effort to see whether or not the issue exists in versions 1.3 or before, and no fixes will be issued.

2. Other than not having access to new features, these versions may be vulnerable to attacks that have been mitigated in currently maintained versions of Django. If you were to chose to use these versions, it would be your job to investigate newly discovered vulnerabilities and fix them yourself. This is a Bad Idea, not just because it's a lot of work, but because there would be no community scrutiny of fixes you might attempt, and there's no testing going on to find new issues before the bad guys do.

3. It was insecure, at least in the sense that the vulnerabilities existed. When the Django docs refer to 1.3 and before as insecure versions, they don't mean that the code rotted. They mean that the code may be vulnerable to newly discovered attacks, and they aren't going to do anything about it. Think of it more as a "use at your own risk."

4. Yes. You don't get bug fixes for this version. Backporting fixes takes valuable developer time, which is why nobody supports a version of a product indefinitely.

Summary: Don't use this version. The Django docs are warning you away from it for good reason.

Answer 2

Releases which are older than the supported versions are labeled as insecure because they do not receive security related fixes when vulnerabilities are found. The set of supported versions is documented as part of the release process in particular: https://docs.djangoproject.com/en/stable/internals/release-process/#supported-versions

Security fixes will be applied to the current master and the previous two minor releases.

At the time of this answer 1.6.x current stable release meaning that security related fixes will be backported and released for 1.5.x. 1.4.x has been deemed a long term support release and will receive security updates until March 2015. Some of the recent security fixes do not impact 1.3.x because they were related to features released after 1.3.x such as the DOS related to the password hashers: https://www.djangoproject.com/weblog/2013/sep/15/security/

However, other security issues do potentially impact 1.3.x projects and were not backported because it was out of support per the release policy such as https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ or https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ If you continue to use a version of Django which is not receiving security updates then it would be up to you to determine if your version was impacted and the necessary measures to fix the issue.